Increases the minimum credit top-up to $300.
### Testing
- Head to `/org/_/billing`
- Assert that you're not able to do a top-up for less than $300
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Updates**
* Increased the minimum credit top-up amount from 100 USD to 300 USD.
Form defaults and placeholder text updated to reflect the new minimum.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Feature
## What is the current behavior?
After subscribing to the newsletter in the footer, users only see
"Thanks for subscribing!" with no indication of what to expect next.
## What is the new behavior?
After a successful newsletter signup, a secondary message is shown:
"You'll hear from us when we publish our next newsletter issue." This
sets expectations that they will receive emails when new issues are
published.
## Additional context
Small UX improvement to the footer newsletter form success state.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Enhanced newsletter subscription confirmation message with additional
details about when the next issue will be published.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Bug fix (image)
## What is the current behavior?
The blog thumbnail for the Agent Skills post is 1200x630 with the "Agent
Skills" text flush at the bottom edge. When rendered in the blog grid
(`aspect-[1.91/1]`) and featured view (`aspect-[3/2]`) with
`object-cover`, the text gets cropped.
<img width="3256" height="1282" alt="image (1)"
src="https://github.com/user-attachments/assets/86cbbe57-3e34-4164-9db4-9ed6c74fb897"
/>
## What is the new behavior?
The thumbnail is resized to 2400x1600 with the content vertically
centered, matching the dimensions used by other blog post thumbnails
(e.g. 100K GitHub stars). The text is no longer cut off in any view.
<img width="1510" height="731" alt="image"
src="https://github.com/user-attachments/assets/5256bc27-9830-4bc3-8d24-fbad1beea8ff"
/>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary by CodeRabbit
* **New Features**
* Added Passkeys configuration page to manage WebAuthn relying-party
settings and enable/disable passkey auth.
* Added a Beta "Passkeys" item to the Auth settings menu.
* Enabled saving passkey-related authentication parameters.
* **Tests**
* Added test coverage to ensure the Passkeys menu appears or is omitted
based on feature flags.
* **Chores**
* Removed an unused import to tidy the code.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: fadymak <dev@fadymak.com>
Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Docs - [CLI Config
Reference](https://supabase.com/docs/guides/local-development/cli/config#auth.mfa.totp.enroll_enabled)
## What is the current behavior?
Default values in the cli config reference for mfa totp are set as
`true` which is not correct.
## What is the new behavior?
Changed to use `false` and match the default `config.toml`.
<img width="868" height="723" alt="Screenshot 2026-04-01 at 15 53 54"
src="https://github.com/user-attachments/assets/5e3e33a0-5edb-44d6-a013-4327aef537b4"
/>
## Additional context
Fixes: https://github.com/supabase/cli/issues/3737
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated CLI configuration defaults for TOTP multi-factor
authentication. TOTP enrollment and verification are now disabled by
default. Users relying on these features may need to manually enable
them in their configuration if required.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- The Free Plan section in `database-size.mdx` was ambiguous — it said
"when you exceed the 500 MB limit" without specifying which limit
- Clarified that the 500 MB threshold is the **database size** limit
(actual Postgres data), while Free Plan projects include 1 GB of total
disk space
- This explains why read-only mode triggers before total disk usage is
reached
Closes#43487
## Test plan
- [ ] Documentation renders correctly at
`/docs/guides/platform/database-size`
- [ ] Wording is unambiguous about database size vs disk size
distinction
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Clarified Free Plan read-only mode: the 500 MB threshold applies to
database size (Postgres data), not overall disk usage.
* Made Pro Plan instructions explicit: upgrading increases the database
size quota rather than a generic disk limit.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
## What is the new behavior?
The error message returned by the edge runtime has changed in
production. Updated the docs to reference the newer message
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated troubleshooting guide for 401 error responses with improved
error message clarity and example scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Docs update
## What is the current behavior?
A very minor type fix of the tus sample code we have in the docs.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Fixed resumable upload example to use correct format for the cache
control parameter in code snippets.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
## What is the current behavior?
No link
## What is the new behavior?
1. Mention not all S3 clients are expected to work
2. Add link to Cyberduck integration as an example
## Additional context
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## TL;DR
fixes a cron job parsing issue where the `HTTP request body`
could include content from a later argument when editing an existing job
## ex:
<table>
<tr>
<td valign="top" width="50%">
<strong>Before:</strong>
<br />
when editing some existing <code>net.http_post(...)</code> cron jobs,
studio populated the <code>HTTP Request Body</code> field with extra
content from the following argument instead of only the body value
<br /><br />
<img width="532" height="108" alt="before"
src="https://github.com/user-attachments/assets/eccf1f6b-3e4c-4d6d-8611-e144794fac8f"
/>
</td>
<td valign="top" width="50%">
<strong>After:</strong>
<br />
now it stops parsing the body at the correct boundary, so the <code>HTTP
Request Body</code> field only contains the intended body content
<br /><br />
<img width="165" height="69" alt="after"
src="https://github.com/user-attachments/assets/92f5cf44-ad8c-409c-a0f5-5b9c1664ccd0"
/>
</td>
</tr>
</table>
added a smol regress test aswell :)
## ref:
- closes https://github.com/supabase/supabase/issues/44794
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed parsing of cron job commands with quoted JSON body parameters
and additional arguments to ensure headers and timeout parameters are
correctly recognized.
* **Tests**
* Added test case to validate correct parsing of complex cron job
command configurations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Simplified guidance for handling leaked or compromised service_role
(JWT) keys: consolidated prior branching instructions into a single,
clear recommendation to replace the service_role key via the standard
secret-key rotation process to avoid downtime.
* Removed an obsolete "rotate service role key" further-reading link to
streamline troubleshooting and reduce duplication.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Co-authored-by: Cameron Blackwood <38852603+Reikon95@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Docs update
## What is the new behavior?
- Added docs for analytics and vector buckets
- Added missing docs for some storage bucket methods
- Improved OAuth / OTP guide
- Small fixes
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Documentation
- Updated Kotlin authentication guides with improved examples, API
naming consistency, and comprehensive Kotlin Multiplatform support
- Added documentation for identity linking with ID tokens
- Expanded Storage API documentation with new file operation methods
(`exists()` and `info()`)
- Added extensive vector storage bucket operations and management
documentation
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
## What is the current behavior?
Inconsistent naming of publishable key environment variables across
dashboard, docs, ai skills, templates etc
## What is the new behavior?
Consistent naming of publishable key environment variables across
dashboard, docs, ai skills, templates etc
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated environment variable naming across example projects. Changed
`VITE_SUPABASE_PUBLISHABLE_DEFAULT_KEY` to
`VITE_SUPABASE_PUBLISHABLE_KEY` in configuration and initialization
files for the React quickstart and user-management examples.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## Summary
Follow-up to #44801 — fixes the data layer issue flagged in the review
comment.
The previous fix handled the display crash (`table.columns.map` when
`columns` is undefined) but left the edit/save path broken. When a
Stripe wrapper table has `null` columns from the DB (e.g. `jsonb_agg`
returns `NULL` when there are no rows), `formatWrapperTables` was
forwarding that `null` directly into the react-hook-form state. The Zod
`tableSchema` declares `columns` as a non-optional `z.array(...)`, so
the zodResolver rejected the form silently on save — the Save button
appeared to do nothing with no error shown to the user.
## Change
In `Wrappers.utils.ts`, `formatWrapperTables`:
```ts
// before
columns: table.columns,
// after
columns: table.columns ?? [],
```
This ensures the form is always initialized with a valid array,
satisfying the Zod schema and allowing saves to proceed normally.
---
Slack thread:
https://supabase.slack.com/archives/C063LNYJJKS/p1776067210776939?thread_ts=1776067141.988569&cid=C063LNYJJKShttps://claude.ai/code/session_01N6nyTggA68yktWg4b46ssL
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed an issue where wrapper tables could fail to display correctly
when column data was missing or invalid.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Claude <noreply@anthropic.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Supabase Dashboard - Connect
## What is the current behavior?
On the new `<ConnectSheet />` component their is no deep linking like
the previous `<Connect />` component
## What is the new behavior?
Deep linking added onto framework and other options, Example local
links:
http://localhost:8082/project/default?showConnect=true&connectTab=framework&framework=nextjs&using=pageshttp://localhost:8082/project/default?showConnect=true&connectTab=mcp&mcpClient=goose
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Connect Sheet supports URL query parameters for pre-configuring
connection settings (framework, using, method, type, mcpClient).
* Legacy tab identifiers are accepted for compatibility.
* **Improvements**
* Opening, switching, and closing the Connect Sheet now more reliably
syncs and clears related parameters to avoid stale state.
* **Tests**
* Added end-to-end tests covering deep-linking, legacy aliases, and
parameter clearing on close/mode change.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
## Summary
- Adds null check for `table.columns` in `CreateWrapperSheet` and
`EditWrapperSheet` to prevent runtime errors when columns are undefined
- Fixes TypeError: "can't access property 'map', e.columns is undefined"
on `/dashboard/project/[ref]/integrations/stripe_wrapper/overview`
## Problem
When viewing the Stripe wrapper integration overview page, users
encounter a JavaScript error because `table.columns` can be undefined in
some cases, but the code attempts to call `.map()` on it directly.
## Solution
Changed `table.columns.map(...)` to `(table.columns ?? []).map(...)` to
safely handle cases where columns is undefined by defaulting to an empty
array.
## Test plan
- [ ] Navigate to
`/dashboard/project/[ref]/integrations/stripe_wrapper/overview` with a
wrapper that has tables with undefined columns
- [ ] Verify no JavaScript error occurs
- [ ] Verify tables without columns display correctly (showing "Columns:
" with nothing after)
---
Slack thread:
https://supabase.slack.com/archives/C063LNYJJKS/p1776067210776939?thread_ts=1776067141.988569&cid=C063LNYJJKShttps://claude.ai/code/session_01N6nyTggA68yktWg4b46ssL
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed a stability issue in wrapper integrations where missing or
undefined column information from foreign tables could cause display
problems. The interface now safely handles these edge cases with
improved spacing and more reliable column rendering, ensuring consistent
and predictable presentation of integration data regardless of data
availability or table configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Claude <noreply@anthropic.com>
Next.js 16.2
• Up to ~60% faster rendering
• Up to ~400% faster 𝚗𝚎𝚡𝚝 𝚍𝚎𝚟 startup
• Server Function 𝚍𝚎𝚟 logging
• Redesigned error page
• Better hydration errors
• 𝙴𝚛𝚛𝚘𝚛.𝚌𝚊𝚞𝚜𝚎 display in error overlay
https://nextjs.org/blog/next-16-2
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated core build/dev tooling versions for more predictable installs
(analyzer and Turbo bumped).
* Relaxed workspace release gating by reducing minimum release age and
narrowing the list of tooling exclusions, streamlining staged upgrades.
* No runtime or public API changes; configuration and tooling-only
updates.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
We currently have 2 libraries for schema validation: `yup` that was used
with `formik` and `zod` which is now the preferred one.
## Solution
Migrate the MFA settings form to use `zod`.
No visual changes.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* MFA settings forms now use stronger, consistent schema validation with
numeric input coercion and improved typing for more reliable form
behavior.
* Simplified form reset/synchronization for more predictable state
updates.
* **Bug Fixes**
* MFA update requests now send only intended fields.
* Fixed Enhanced MFA Security “Save changes” button to show the correct
loading state.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
Now that all forms have been migrated to `react-hook-form`, we can
remove `formik` as well as some unused deprecated components
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Removed formik dependency from the UI package.
* Removed Form and InputNumber components and their public re-exports.
* Removed FormContext and the form hook exports.
* Simplified multiple components (Input, Checkbox, Radio, Select,
Toggle, Listbox) by removing form-context integration.
* Removed InputNumber styling and theme configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Remove the outdated GitHub discussion feedback link from the "Queue
table operations" dashboard setting
- Clean up the unused `discussionsUrl` prop and related rendering logic
from `DashboardToggle`
Closes FE-2973
## Test plan
- [ ] Verify the "Queue table operations" toggle in Account >
Preferences no longer shows a "Give feedback" link
- [ ] Verify the "Edit entities in SQL" toggle still renders correctly
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Refactor**
* Removed the feedback link from dashboard settings toggles. The "Give
feedback" option is no longer available in the preferences interface.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Disabled email-based user signup for the production environment.
* Disabled local database network restrictions to simplify local
development and testing.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## TL;DR
fixes the Auth Users provider badge for Web3 users so it reflects the
actual enabled provider state
## problem
Web3 authenticated users appeared `Disabled` in `Authentication -> Users
-> Provider Information`
This happened because the user provider is stored as `web3`, while the
actual enabled state is chain specific (`solana` / `ethereum`)
<p align="left">
<img width="443" height="281" alt="Image"
src="https://github.com/user-attachments/assets/4918cbdb-75a4-4bd9-b9e5-511dcced5447"
/>
</p>
## solution
When the provider is `web3`, resolve the enabled badge from
`raw_user_meta_data.custom_claims.chain` (saw that in the payload while
testing) and map it to the correct Web3 config flag:
- `solana` -> `EXTERNAL_WEB3_SOLANA_ENABLED`
- `ethereum` -> `EXTERNAL_WEB3_ETHEREUM_ENABLED`
<p align="left">
<img width="148" height="43" alt="image"
src="https://github.com/user-attachments/assets/9d21b8fc-da93-4dcd-9cdb-5c0eacef2a27"
/>
</p>
## ref:
- closes https://github.com/supabase/supabase/issues/44724
- closes https://github.com/supabase/supabase/issues/39568
- closes https://github.com/orgs/supabase/discussions/39563
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Corrected web3 provider enabled status detection by mapping user chain
configuration to provider settings.
* **Tests**
* Added test coverage for web3 user enabled status display.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Consolidate tax ID saving into the `PUT
/organizations/{slug}/customer` endpoint instead of using a
separate `/tax-ids` endpoint
## Test plan
### Updating billing information
From the billing dashboard`/org/_/billing`:
- [ ] Manually test updating billing address + tax ID from org billing
settings - single API call should save both
- [ ] Clear the Tax ID in the org, save and assert that it has been
deleted
- [ ] Modify all the fields in the address form, including TaxID. Click
"Cancel" and assert that everything has returned to the previous values.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Billing address and tax ID updates are now sent in a single update
operation.
* Error messaging for billing updates consolidated into a single failure
notification.
* Tax ID handling clarified: you can clear tax ID explicitly or leave it
unchanged; omitting address fields no longer overwrites existing
address.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Problem
The Docs feedback modal still uses the old `Form` component with
`formik`
## Solution
Migrate it to `react-hook-form`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Improvements**
* Enhanced feedback form with schema-driven validation requiring title
and comment before submission.
* Submission buttons disable while submitting; cancel now also resets
the form state.
* **Chores**
* Added form handling and validation libraries to support the improved
feedback experience.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Simplify the Connect modal for Multigres/High Availability projects.
Pooling is always on for these projects, so the connection method
distinction doesn't apply.
**Removed:**
- Connection Method selector (Direct/Transaction/Session) for HA
projects
- IPv4 add-on panel for HA projects
- Pooler badge (Shared/Dedicated) for HA projects
**Changed:**
- "Type" label renamed to "Connection Type" for HA projects
- Default connection method set to `transaction` (instead of `direct`)
for HA projects
Non-HA projects are completely unaffected.
## To test
- Open Connect sheet → Direct tab on a **non-HA project** — verify
everything looks the same as before
- Open Connect sheet → Direct tab on an **HA project** — verify:
- No Connection Method radio selector
- Label reads "Connection Type" instead of "Type"
- No IPv4 status panel
- No pooler badge
- Connection string displays correctly
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Improvements**
* Connection UI now adapts for high-availability projects: hides pooler
options and IPv4 status, and updates the connection type label for
clarity.
* **Tests**
* Added tests covering connection configuration behavior when a project
is high-availability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
## What is the new behavior?
How to Restore Project After a 90-Day Pause troubleshooting guide
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a troubleshooting guide for recovering projects paused over 90
days that cannot be restored via the dashboard.
* Describes a step-by-step recovery workflow: export available database
backups and Storage objects, create a replacement project, restore the
database, restore Storage content, and reapply project configurations.
* Notes expected errors during restore, includes an image and video
walkthrough, optional automation script guidance, and links to related
migration and backup/restore guides.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Jeremias Menichelli <jmenichelli@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Bug fix
## What is the current behavior?
Fixes#34967
The `/account/me`
([https://supabase.com/dashboard/account/me](https://supabase.com/dashboard/account/me))
preferences page has layout shifting during profile loading.
## What is the new behavior?
- Loading skeletons now match the structure of the loaded content (one
card per dynamic section)
- Static sections only render in the non-error branch, preventing them
from appearing alongside error messages
- Removed unused `isSuccess` destructure from `useProfile()`
- CLS value now on good range <= 0.10.
<img width="1917" height="905" alt="Screenshot from 2026-02-11 00-39-19"
src="https://github.com/user-attachments/assets/1d8fa7e1-9ca3-49ae-b4b8-1c0f28ebbf93"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Enhanced the loading state interface on the account settings page with
improved visual indicators. Updated the component structure for better
UI consistency and refined the visual feedback mechanism during profile
data retrieval.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Danny White <3104761+dnywh@users.noreply.github.com>
## What kind of change does this PR introduce?
Bug fix. Resolves FE-2959.
## What is the current behaviour?
Grouped inputs strip the inner control border with `border-0`, while the
outer `InputGroup` is responsible for the visible outline. After #44703,
grouped form inputs now receive the correct validation attributes, but
the primitive still removes the inner border dimensions entirely. That
keeps the visual layer brittle and can lead to inconsistent error
rendering, especially in light mode where the grouped password field
does not match the Project name input.
The shared `ui-patterns` input wrapper also inherits the generic
`inline-end` button spacing from `InputGroupAddon`, which pushes the
password copy button slightly too far to the right.
## What is the new behaviour?
The shared grouped-input primitive now keeps a transparent inner border
instead of removing border widths entirely. The outer `InputGroup`
continues to own the visible border, focus ring and error treatment, but
the inner control now has stable border metrics and no redundant
dark-mode background override.
The grouped invalid state now also matches the plain input treatment
more closely:
- unfocused error border uses `destructive-400`
- focused error border uses `destructive`
- error background uses `destructive-200`
The `ui-patterns` input wrapper now overrides the inherited `inline-end`
negative margin for its own copy/reveal button addon, so the password
copy button sits in the right place without changing spacing for other
direct `InputGroup` consumers.
| Before | After |
| --- | --- |
| <img width="1338" height="284" alt="CleanShot 2026-04-09 at 13 43
50@2x-91489355-5EEA-4884-BAA2-B93B28F1D7CB"
src="https://github.com/user-attachments/assets/ed40683b-8a87-4deb-8a0f-f892d00894f0"
/>| <img width="1334" height="278" alt="CleanShot 2026-04-09 at 13 41
36@2x-5D7E930B-EDB2-4002-9367-34ACE2DF4DB4"
src="https://github.com/user-attachments/assets/7d9594a4-9988-480e-a809-9f5ed29e8e24"
/> |
| <img width="1336" height="210" alt="CleanShot 2026-04-09 at 14 06
15@2x-05379F74-4CA5-4E6E-9250-CBA2764C1318"
src="https://github.com/user-attachments/assets/25e48cd4-de0a-47f3-9022-d7a3829a0626"
/> | <img width="1334" height="210" alt="CleanShot 2026-04-09 at 14 12
11@2x-11FBC519-D398-4A59-971A-97FBFEF610DE"
src="https://github.com/user-attachments/assets/91c3710c-7773-4286-854d-7b7144db85ab"
/> |
An easy place to test this is the Database password field in the New
Project creation flow. See also the Minimum password length field in
Email (Sign In / Providers).
## Summary
- update `packages/ui/src/components/shadcn/ui/input-group.tsx`
- replace `border-0` on grouped inputs/textareas with transparent
borders
- remove the redundant `dark:bg-transparent`
- keep the inner grouped controls visually neutral so the outer group
owns the rendered border state
- align grouped invalid border and background styling with the plain
input treatment
- update `packages/ui-patterns/src/DataInputs/Input.tsx` so copy/reveal
buttons do not inherit the extra right pull intended for other
`inline-end` addons
## Problem
The input groups components introduced in #44282 don't have the
validation attributes when invalid. This hurts accessibility and also
break the design:
<img width="1730" height="324" alt="image"
src="https://github.com/user-attachments/assets/a3fb8d86-f3a8-46bb-aa53-d0599c11f056"
/>
## Solution
This is because the wrapper `<FormControl_Shadcn_>` passes the
validation props to its direct child.
The solution is to avoid applying them on the `<InputGroup>` and to
apply them manually on the inputs.
I also fixed a small accessibility issue by moving the addon texts after
the input so that screen readers announce them in the correct order. No
visual change for this
<img width="587" height="158" alt="image"
src="https://github.com/user-attachments/assets/1f8858ea-6659-45f9-964e-8c43a7fe14ba"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Unified numeric input layout by moving unit labels/suffixes (e.g.,
"seconds", "GB", "%", "connections", "digits", "IOPS", "MB/s", "rows")
to appear after their inputs for a consistent, predictable form
appearance.
* **Accessibility**
* Form controls now expose IDs and ARIA attributes from form context
when available, improving screen-reader descriptions and error
association.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com>
We are currently migrating to the safeSql utility for all SQL arguments
of executeSql. During the migration, executeSql will continue to accept
plain strings for backwards compatibility. Adding a custom ESLint rule
so we can ratchet this and prevent new calls of executeSql with plain
strings.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added SQL safety validation throughout the application to enforce
secure query construction and prevent SQL-related vulnerabilities
* Introduced type-aware linting to identify and catch type-related
issues during development and continuous integration processes
* **Chores**
* Enhanced continuous integration pipeline with improved code quality
enforcement
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Standardized SQL construction across the pg-meta package to use
parameter-safe SQL fragments instead of raw string assembly, improving
safety for dynamic values (filters, limits, offsets, identifiers) and
unifying how exported SQL constants and query helpers are produced. No
functional query behavior changes expected.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
#44677 modified the previous behaviour on callback URLs. It used to
prevent users to remove the URL if only one was provided.
## Solution
Restore the previous behaviour.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed the Remove button behavior for OAuth callback URLs. The button
now only appears when multiple callback URLs are configured, preventing
accidental deletion of the only redirect URI.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
## What is the new behavior?
SSL modes table reference
<img width="1000" height="567" alt="CleanShot 2026-04-05 at 15 39 27"
src="https://github.com/user-attachments/assets/ed05d05b-b559-4554-aef1-d70038f520b9"
/>
## Additional context
While there is a table available in postgres docs, other providers do
include simplified versions of that table.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a clear reference table for Postgres client-side SSL modes
(disable, allow, prefer, require, verify-ca, verify-full), summarizing
encryption, certificate authority validation, hostname verification, and
connection behavior for each mode.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
-
[**SUPABASE-APP-E2R**](https://supabase.sentry.io/issues/SUPABASE-APP-E2R):
Guard against undefined entries in notifications array in
`AdvisorButton` (optional chaining on `.some()` callbacks)
-
[**SUPABASE-APP-EBA**](https://supabase.sentry.io/issues/SUPABASE-APP-EBA):
Remove render-time `handleError()` throw in `useEdgeFunctionsDiff` — the
hook already handles missing body data gracefully
-
[**SUPABASE-APP-BVN**](https://supabase.sentry.io/issues/SUPABASE-APP-BVN)
/
[**SUPABASE-APP-BTV**](https://supabase.sentry.io/issues/SUPABASE-APP-BTV):
Guard `localStorage` access in `FeaturePreviewContext` with try-catch,
matching the established pattern in `useLocalStorage.ts` (Safari private
browsing)
-
[**SUPABASE-APP-AV3**](https://supabase.sentry.io/issues/SUPABASE-APP-AV3):
Filter stale folder IDs before passing `expandedIds` to
`react-accessible-treeview` in the SQL editor nav
## Test plan
- [x] Verify AdvisorButton renders without errors when notifications
data has sparse pages
- [x] Verify branch merge page loads when edge function body fetch fails
- [x] Verify feature previews initialize correctly in Safari private
browsing
- [x] Verify SQL editor folder expand/collapse works after deleting a
folder
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Feature preview now falls back safely when browser storage is
unavailable
* Notifications display updated to tolerate missing entries without
errors
* Private snippets navigation no longer preserves expansion state for
removed nodes
* **Refactor**
* Streamlined error aggregation in edge functions diff processing
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
Foreign wrapper forms still use `formik` but we now use
`react-hook-form` everywhere and we'd like to reduce our dependencies.
## Solution
This PR focuses on migrating the OAuth apps form to `react-hook-form`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Reworked the OAuth app publish form to use schema-driven validation
and managed callback URL fields.
* Replaced bespoke URL state/handlers with add/remove field array logic;
consolidated error rendering.
* Submission, loading and preview now reflect real-time form state and
reset correctly when the panel or selection changes.
* **Bug Fixes**
* Improved URL validation to handle localhost cases and optional
HTTPS-only enforcement.
* **Tests**
* Extended URL validation tests to cover localhost, HTTP/HTTPS and
HTTPS-only scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What kind of change does this PR introduce?
Docs update
## Additional context
The Smart CDN documentation lacked clarity around caching behavior for
signed URLs used with private bucket assets. This update adds that
missing detail.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a Smart CDN guide section on signed URL caching at the CDN edge:
each unique signed URL is a separate cache key.
* Explained cache behavior: first request for a specific signed URL is a
miss; subsequent identical requests are cache hits; cached responses
remain until CDN cache expiry.
* Clarified access-control interactions: revoking/expiring a token does
not purge cached content; deleting the object invalidates cached entries
(propagates within ~60s).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: ferhat elmas <elmas.ferhat@gmail.com>
Show OAuth server endpoints in oauth server settings page.
Preview: [OAuth Server
settings](https://studio-staging-git-chore-show-oauth-server-endpoints-supabase.vercel.app/dashboard/project/_/auth/oauth-server)
<img width="1138" height="496" alt="Screenshot 2026-01-09 at 12 00 31"
src="https://github.com/user-attachments/assets/eeca7726-0426-4abe-990d-271b702e4f7b"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added an OAuth endpoints table showing Authorization, Token, JWKS, and
Discovery/OpenID URLs with copy-to-clipboard and a masked preview mode.
* Inline preview of the Authorization URL when an authorization path is
set.
* **Improvements**
* Reorganized OAuth server settings for clearer enable/disable flow,
conditional field visibility, and disable confirmation.
* Dynamic loading of the endpoints table, improved loading skeletons,
layout refinements, and form reset to reflect saved defaults.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ali Waseem <waseema393@gmail.com>
Cleanup task following https://github.com/supabase/supabase/pull/43194
I noticed the run of `braintrust-scorers-deploy.yml` included the branch
prefix on scorers in Assistant. This is unnecessary since there's only
one copy of scorers in the "Assistant" project, unlike "Assistant
(Staging Scorers)" which uses prefixes to disambiguate branches.
<img width="502" height="262" alt="CleanShot 2026-03-09 at 15 45 19@2x"
src="https://github.com/user-attachments/assets/214ec1e8-5f40-411f-8d2a-71cc4a5fc294"
/>
This is a small housekeeping correction so scorers in the main
"Assistant" project don't include branch prefixes, whereas scorers from
PRs deployed to "Assistant (Staging Scorers)" remain prefixed.
https://docs.github.com/en/actions/reference/variables-reference
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated CI deployment configuration for scorer branch/prefix handling
to optimize behavior across different GitHub event types (PR vs.
push/dispatch events).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
Removes `_DEFAULT` from the publishable key env var name across all
Connect and ConnectSheet framework content, so that e.g.
`NEXT_PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY` becomes
`NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY`. This matches the docs and sample
apps.
### Connect
- Next.js (App Router)
- Next.js (Pages Router)
- React (Create React App)
- React (Vite)
- Remix
- SolidJS
- SvelteKit
### ConnectSheet
- Next.js (App Router)
- Next.js (Pages Router)
- React (Create React App)
- React (Vite)
- Remix
- SolidJS
- SvelteKit
- Vue.js
- shadcn env step
Resolves FE-2934
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Standardized environment variable names in generated connection/setup
instructions: when a publishable key is present the templates now
reference the publishable env var (e.g.,
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY, VITE_SUPABASE_PUBLISHABLE_KEY,
REACT_APP_SUPABASE_PUBLISHABLE_KEY, etc.) with unchanged anon-key
fallback behavior.
* Updated cURL/tab placeholders to reflect the new publishable-key
identifier when hiding keys.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
The Connect Sheet install step only listed `@supabase/supabase-js`, but
the generated code for Next.js (app router) and Remix imports from
`@supabase/ssr` – so users following the steps immediately hit import
errors.
**Added:**
- `EXTRA_PACKAGES` map in `connect.schema.ts` – frameworks declare
additional packages on top of the base library install, keyed by
`framework/variant` for granularity (e.g. `nextjs/app` gets
`@supabase/ssr`, `nextjs/pages` does not)
- Install content component appends extras automatically
- Step title pluralises to "Install packages" when extras are present
- Tests for extra packages, variant-specific install commands, and step
titles
**Changed:**
- Next.js steps now branch on `frameworkVariant` so app router and pages
router can have different install steps
- Remix gets an explicit entry in the step tree (previously fell through
to DEFAULT)
## To test
- Open Connect Sheet → Framework → Next.js → App Router
- Install step should say "Install packages" and show `npm install
@supabase/supabase-js @supabase/ssr`
- Switch to Pages Router
- Install step should say "Install package" and show `npm install
@supabase/supabase-js`
- Switch to Remix
- Install step should say "Install packages" and show `npm install
@supabase/supabase-js @supabase/ssr`
- Other frameworks (Vue, SvelteKit, etc.) should be unchanged
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Enhanced package installation guidance to include framework-specific
additional packages (e.g., @supabase/ssr for Next.js App Router and
Remix).
* Installation step labels now accurately reflect the number of packages
being installed.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
Removes the temporary killswitch that was blocking tracing in production
environments.
Note this still excludes from tracing projects that are any of the
following:
- HIPAA sensitive
- Hosted in EU regions
- Within orgs where some owner previously signed our DPA
See [approval
message](https://supabase.slack.com/archives/C051L8U2EJF/p1775526578561789?thread_ts=1775144006.270549&cid=C051L8U2EJF)
for context.
Closes AI-450
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Tracing enablement now depends solely on the presence of required API
credentials instead of environment-based restrictions, enabling
diagnostic tracing functionality across all environments.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
